One IMS. Two Standards. 60 % Less Effort.

What an integrated management system actually is

An integrated management system (IMS) is the organisational and documentary fusion of multiple management-system standards into a single shared structure. Instead of running two or three parallel worlds, you bundle leadership accountability, risk assessment, document control, audit programme and management review into one system. Most IMS implementations combine ISO 9001 (quality) with ISO 27001 (information security), often complemented by ISO 14001 (environment) or ISO 45001 (occupational health and safety).

The key enabler of an IMS is the High Level Structure (HLS, formerly Annex SL). Since 2012, ISO has aligned all new and revised management-system standards on a common clause structure. ISO 9001:2015 and ISO 27001:2022 both follow this layout, which makes integration dramatically easier.

Why the High Level Structure changes the economics

The HLS defines ten chapters that appear in every ISO management system. Chapters 4 to 10 carry the substance, chapters 1 to 3 cover scope, references and terms.

• Chapter 4 Context of the organisation: internal and external issues, interested parties, scope. Identical in 9001 and 27001, only the risk lens differs.
• Chapter 5 Leadership: top management responsibility, policy, roles. An integrated policy can cover both aspects.
• Chapter 6 Planning: risk-based thinking, objectives and actions. The biggest technical lever of the IMS lives here.
• Chapter 7 Support: resources, competence, awareness, communication, documented information. Fully integrable.
• Chapter 8 Operation: the norm-specific part. ISO 9001 demands customer focus and product realisation, ISO 27001 demands risk treatment and operational security.
• Chapter 9 Evaluation: monitoring, measurement, internal audit, management review. One shared audit plan and one review cycle is enough.
• Chapter 10 Improvement: nonconformities, corrective action, continual improvement. A single CAPA system serves both norms.

A small clarification: Annex SL was formally renamed to ISO/IEC Directives Part 1 Annex L in 2019. The High Level Structure (HLS, formerly Annex SL) is the correct term today, but many auditors still use the legacy name. The substance has not changed.

Concrete overlaps you can use from day one

You can stand up the following building blocks immediately as shared assets, instead of maintaining them twice.

Context and stakeholders. A stakeholder list with columns for QMS relevance, ISMS relevance and expectations. Customers, suppliers, employees, regulators. Maintained once, evaluated twice.

Risk management. A risk register with a standardised scoring scale (likelihood × impact). Risks are tagged for classification: quality, confidentiality, integrity, availability, compliance. A single risk can carry several tags, but is scored and treated only once.

Document control. A document management system with unified governance: owner, approver, valid version, review cycle. Whether it is a quality policy or an access control concept, the same workflow applies.

Internal audit. A three-year audit plan covering both standards. Auditors are trained for both norms, or qualified as IMS auditors. Each audit slot questions clauses from both standards, evidence is collected once, findings are tracked in a single tool.

Management review. One agenda, one minute, one meeting per quarter or half-year. Standard items: status of objectives, audit results, customer feedback, security incidents, risks, improvement opportunities, resource needs.

Continual improvement. A single CAPA system (Corrective and Preventive Actions) for both worlds. A nonconformity from a QMS audit and a security incident are captured, scored and tracked in the same tool.

A pragmatic 0–12 month roadmap

If you are already ISO 27001 certified and want to add ISO 9001, a realistic timeline looks like this.

Months 0 to 2: gap analysis and architecture. Map existing ISMS documents against ISO 9001:2015. Decide on the shared handbook and tool architecture. Define the joint policy and roles. If you want external support, this is the right time to engage a partner. Alternatively, you can run this phase in-house with a GRC tool such as Kopexa.

Months 2 to 5: close the gaps. Stand up customer-focus processes (8.2 requirements for products and services, 9.1.2 customer satisfaction). Document product-realisation processes (8.3 design and development, 8.5 production and service provision). Extend your existing ISMS risk assessment with a quality lens.

Months 5 to 8: integrate and dry run. Internal audit covering both standards. Management review with combined agenda. Move CAPA tracking onto the integrated system. If your ISO 27001 roadmap is established, many steps can run in parallel.

Months 8 to 10: certification audit. Stage 1 (document review) and Stage 2 (on-site audit) as a combined engagement. Preparation follows our ISO 9001 audit checklist for ISO 27001 organisations.

From month 10: operating phase. Quarterly management reviews, semi-annual partial internal audits, annual surveillance audits by the certification body.

One tool, one risk register, one audit plan

An IMS only works if your tooling plays along. Three separate Excel sheets, two Confluence spaces and a Jira project are not an integrated system, they are three silos sharing a logo.

A modern GRC tool should deliver the following for an IMS:

• Multi-framework mapping with a single source of truth for risks, controls and evidence.
• Statement of Applicability for ISO 27001 and process documentation for ISO 9001 in one model. More background in our SoA guide.
• Audit module that can manage one audit plan across multiple standards.
• Role-based access so that quality managers and the CISO work in the same system but see different views.

Kopexa supports both self-service teams that want to build the IMS on their own and partner setups where a quality consultant or fractional CISO works alongside you. The tool core stays the same, the roles flex.

Anti-patterns to avoid

We see these mistakes again and again, and they cost the most in money and patience.

Maintaining two separate handbooks but labelling it "IMS". If your QM handbook and your ISMS handbook are two different Word documents, it is not an IMS. Employees keep two versions in their heads, and you have doubled your maintenance cost.

Duplicate interview slots during audits. If the lead auditor for ISO 9001 interviews sales on Monday about supplier evaluation and the lead auditor for ISO 27001 interviews the same sales team on Tuesday about the same supplier topic, you have missed the point of a combined audit. Demand a real IMS audit plan from your certifier.

Two CISOs, or a QM manager and a CISO without a sync routine. Personal ownership can split, but processes have to meet. At minimum a monthly joint steering meeting is required.

Anti-consultant dogma or "we do it all ourselves" purity. Some organisations build an IMS alone, others need a partner for methodology or certification preparation. Both are legitimate. Kopexa works just as well in self-service as in a partner model.

Cross-references for deeper reading

You can go deeper in our comparison ISO 9001 vs ISO 27001, which lays out clause overlap and differences side by side. If you come from the SaaS world specifically, our SaaS playbook for ISO 9001 gives you an adapted view of engineering processes as QMS evidence. For ISO 27001-specific depth, the ISO 27001 roadmap and the Statement of Applicability guide are the right starting points.

An IMS is not a certification trick, it is an investment in a healthy management architecture. If you need both standards anyway, treat them as one system from the start, not as two projects.